Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Hello, I'm new here & got a SHeur2 virus, please help!

  • This topic is locked This topic is locked
3 replies to this topic

#1 DonSimon


  • Members
  • 1 posts
  • Local time:01:11 AM

Posted 18 December 2009 - 04:28 PM

Hello all & thanks for reading this.
This is the first time I've got a virus as serious as this so I'm not sure if I'm out of my league with this one.
My laptop recently got infected with what AVG said was the SHeur2 virus & even though I kept deleting it kept replicating. It would arrive in my Temp folder under a different name each time and the final extension was always svchost.exe. I also seemed to be infected with a Dropper.Generic, a Downloader.agent & something called PSW.OnlineGames3 so I don't know what is causing what, but my limited research suggests to me that it is the SHeur2 that seems the main culprit. The symptoms I have noticed are: Messages suggesting I use Outlook as my mail agent when using emails & also when signing up to this site (I have not done this), occasional forced opening of IE & when I check the history it is full of random sites that I have not visited & soon after that IE crashes. (I usually Mozilla but this is disturbing.) Anyway I'm pretty sure my Java platform is infected also & though it would be no problem to delete it & reinstall, I imagine that there are other things that I should do first to avoid it becoming re-infected. I have also had a.exe, b.exe &c.exe files written to my computer which must be linked. I have just ran HouseCall & this seems to have improved matters but I imagine there is some damage elsewhere which I want to attempt to sort out for myself before resorting to taking my comp to a shop. I'm not experienced in this but it would be good for me to learn at the very least. Anyway, I'm pasting my Hijack log data in the hope that somewhere out there can help me. I hope that's this is not too wordy!
Many thanks,
Don Simon

Index % of PCs with item Code Data
1 0.0% F2 UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
53 0.0% P01 C:\WINDOWS\Explorer.EXE
54 0.0% P01 C:\WINDOWS\system32\svchost.exe
55 0.0% P01 C:\WINDOWS\system32\lsass.exe
56 0.0% P01 C:\WINDOWS\system32\winlogon.exe
57 0.0% P01 C:\WINDOWS\system32\services.exe
58 0.0% P01 C:\WINDOWS\System32\smss.exe
59 0.0% P01 C:\WINDOWS\system32\spoolsv.exe
60 0.0% P01 C:\WINDOWS\system32\ctfmon.exe
61 0.0% P01 C:\Program Files\Internet Explorer\iexplore.exe
62 0.0% P01 C:\WINDOWS\system32\rundll32.exe
63 0.0% P01 C:\WINDOWS\system32\wuauclt.exe
64 0.0% P01 C:\Program Files\Messenger\msmsgs.exe
65 0.0% P01 C:\WINDOWS\System32\hkcmd.exe
66 0.0% P01 C:\WINDOWS\system32\igfxpers.exe
67 0.0% P01 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
68 0.0% P01 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
69 0.0% P01 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
70 0.0% P01 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
71 0.0% P01 C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
72 0.0% P01 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
73 0.0% P01 C:\WINDOWS\System32\bcmwltry.exe
74 0.0% P01 C:\WINDOWS\System32\WLTRYSVC.EXE
75 0.0% P01 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
76 0.0% P01 C:\WINDOWS\system32\WLTRAY.exe
77 0.0% P01 C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
78 0.0% P01 C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
79 0.0% P01 C:\Program Files\Nero\Nero 7\InCD\InCD.exe
80 0.0% P01 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
82 0.0% P01 C:\Program Files\AVG\AVG9\avgchsvx.exe
83 0.0% P01 C:\Program Files\AVG\AVG9\avgrsx.exe
84 0.0% P01 C:\Program Files\AVG\AVG9\avgwdsvc.exe
85 0.0% P01 C:\Program Files\AVG\AVG9\avgnsx.exe
86 0.0% P01 C:\PROGRA~1\AVG\AVG9\avgtray.exe
87 0.0% P01 C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\91ZAFYDO\HijackThis[1].exe
88 0.0% P01 C:\Program Files\Java\jre6\bin\jqs.exe
89 0.0% P01 C:\Program Files\Java\jre6\bin\jusched.exe
90 0.0% P01 C:\Program Files\AVG\AVG9\avgcsrvx.exe
91 0.0% R0 HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
92 0.0% R0 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents and Settings/Admin/Desktop/Doc1.htm
93 0.0% R1 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
94 0.0% R1 HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
95 0.0% R1 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

Explanation of the codes
R - Registry, StartPage/SearchPage changes
R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be
F - IniFiles, autoloading entries
F0 - Changed inifile value
F1 - Created inifile value
F2 - Changed inifile value, mapped to Registry
F3 - Created inifile value, mapped to Registry
N - Netscape/Mozilla StartPage/SearchPage changes
N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla
O - Other, several sections which represent:
O1 - Hijack of auto.search.msn.com with Hosts file
O2 - Enumeration of existing MSIE BHO's
O3 - Enumeration of existing MSIE toolbars
O4 - Enumeration of suspicious autoloading Registry entries
O5 - Blocking of loading Internet Options in Control Panel
O6 - Disabling of 'Internet Options' Main tab with Policies
O7 - Disabling of Regedit with Policies
O8 - Extra MSIE context menu items
O9 - Extra 'Tools' menuitems and buttons
O10 - Breaking of Internet access by New.Net or WebHancer
O11 - Extra options in MSIE 'Advanced' settings tab
O12 - MSIE plugins for file extensions or MIME types
O13 - Hijack of default URL prefixes
O14 - Changing of IERESET.INF
O15 - Trusted Zone Autoadd
O16 - Download Program Files item
O17 - Domain hijack
O18 - Enumeration of existing protocols and filters
O19 - User stylesheet hijack
O20 - AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys
O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
O22 - SharedTaskScheduler autorun Registry key
O23 - Enumeration of NT Services
O24 - Enumeration of ActiveX Desktop Components

BC AdBot (Login to Remove)


#2 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:11 AM

Posted 18 December 2009 - 06:11 PM

Hi DonSimon,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

The above procedure is a standard one, however in your case I would like to emphasize that running any tool other than suggested here might leave your computer unbootable.


One or more of the identified infections is a backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is likely compromised. Some experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still try to clean this machine. If you decide to remove the infection please go on with the following steps.

Removal Instructions
  • If you take at a look at other HijachThis logs in other threads you will find out that even the log you have posted is severely damaged, and this says enough about what this infection is able to cause.

    I would like you to post the logs requested the moment they are made and post the subsequent logs later on. Thus please don't save them to post them together.

  • Please download OTL by OldTimer.
  • Save it to your desktop.
  • Double click on the OTL icon on your desktop.
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Click Run Scan button.
  • Two reports will open, copy and paste them to your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

[*]Download the GMER Rootkit Scanner exe file from [http://www.gmer.net/]here[/URL] and save it to your desktop.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Disconnect from the Internet and close all running programs.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
    • Sections
    • IAT/EAT
    • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
    • Show All (this one also should be unchecked)
  • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
  • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.

#3 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:11 AM

Posted 23 December 2009 - 04:36 PM

Are you still there?

#4 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:11 AM

Posted 24 December 2009 - 11:35 AM

This thread will now be closed due to lack of activity.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users